All posts by Colin Snover

Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B
http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Dojo is now hosted on GitHub

I’m pleased to announce that after a prolonged period of incomplete mirroring, we’ve now fully migrated Dojo’s source code to GitHub. Future development will be performed there instead of the Subversion repository, which is now read-only and effectively dead. We will continue to use bugs.dojotoolkit.org for issue tracking, but patches should now be submitted directly as pull requests. The CONTRIBUTING.md guidelines in each repository provide guidelines on sending patches.

As an unavoidable part of this update, the old repositories on GitHub have had their histories rewritten. This means that any Git projects with submodules pointing to those old repositories will be broken. If you have such a project, please make sure you update your submodules. The old mirror repositories have been temporarily renamed with an `-oldmirror` suffix so you can find the correct commit ID for your project. These old mirror repositories will be going away in the near future.

Dojo Foundation provides €500 match to assist development of UglifyJS 2.0

Today, the Dojo Foundation board voted to approve a €500 match to the jQuery Foundation’s financial grant to the developer of UglifyJS, Mihai Bazon.

This grant is being provided to help speed development of the next major version of the open-source UglifyJS code compression library, which is a significant rewrite designed to provide better extensibility for new features like source maps and more aggressive compression methods. (UglifyJS is planned to be the replacement for ShrinkSafe in Dojo 2.0.) We’re very excited to be able to provide additional assistance to this extremely important project, and hope that others will be inspired to pitch in as well. Together, we can do amazing things!

Dojo 1.8.0 tagged, official release August 15

Well, it seems there’s no such thing as a soft launch when it comes to open source software. 🙂 We’ve tagged the final code for Dojo 1.8.0 in our git and subversion repositories and submitted it to our CDN partners, but you won’t find it on dojotoolkit.org yet because we’re still finishing up some needed final updates to the site and documentation. In less than a week, on August 15, we’ll be officially releasing the latest version of Dojo, along with a raft of new documentation and detailed information on all the new features included in this release. In the meantime, hang tight, and we’ll be all set next Wednesday for the grand unveiling.

Release bonanza! Dojo 1.4.4, 1.7.3, 1.8.0b1 released

Hi everyone! I’m pleased to offer not one, not two, but THREE new Dojo releases for your consumption.

Dojo 1.4.4 is now available. This is a maintenance release that backports browser fixes to add support for Internet Explorer 9 and Firefox 4+. Information on which fixes were backported to Dojo 1.4.4 is available on the bug tracker. This is basically identical to the Dojo 1.5.2 release that happened…whenever that happened! A little while ago. Thanks to kgf for managing this release.

Dojo 1.7.3 is now available. This is a bugfix release that resolves several issues with the 1.7 branch of Dojo, including issues with the i18n subsystem, legacy modules, and the build system running on Node.js. It also fixes a significant performance regression from 1.6 when loading many legacy modules and includes bugfixes for several other components. The full list of fixes for Dojo 1.7.3 is available also on the bug tracker.

Finally, Dojo 1.8.0b1 is now available. This is the first beta of the new Dojo 1.8 release and includes several exciting new features. A blog post written by interim supreme overlord Dylan Schiemann provides an overview of many of the most significant new features and enhancements coming to Dojo 1.8. There are close to 700 new features, enhancements, and bug fixes in this release, including a brand new documentation parser (written by yours truly) that will make the API browser work correctly again. As usual, the running list of changes that have made it into Dojo 1.8 so far is at the bug tracker.

Dojo 1.8 is on track at this point for a release in mid-to-late July. Beta 2, if necessary, will be released in about three weeks. CDN releases for Dojo 1.4.4, Dojo 1.5.2, and Dojo 1.7.3 have been submitted to Google. I will post again once those are made available.

OK, that’s it from me! Have a great solstice weekend.

Dojo 1.8 release schedule

In preparation for the release of Dojo 1.8, trunk is now in feature freeze, which means this code is considered feature complete for Dojo 1.8. This is the last step before a beta release. The release schedule is currently as follows:

Now: feature freeze
June 22: beta 1
July 13: release candidate 1 (note: if additional beta releases are necessary, each release will push this out by 1 week)
July 20: Final release (note: if additional rc releases are necessary, each release will push this out by 1 week)

Thank you to everyone that has helped make this release a success!

Dojo 1.7.2 status

Hi everyone,

Just a quick status update on 1.7.2. There were a couple of last minute build issues that were discovered in the RC which means that the release has been pushed back slightly. We’re hoping to have it out by Friday at the absolute latest; it may be out earlier than that depending upon how quickly the remaining issues can be ironed out.

Dojo 1.7.2rc1 released

Hello world,

I’m happy to announce the first release candidate for Dojo 1.7.2. This is a stability and bugfix release, and is the first to include official support for the newly released Firefox 10 ESR.

Download: http://download.dojotoolkit.org/release-1.7.2rc1/
List of fixes: http://bugs.dojotoolkit.org/query?group=status&milestone=1.7.2

Final release of 1.7.2 is planned for next Wednesday, so test and report any issues promptly! Thanks!